001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.activemq.security; 018 019import java.util.Arrays; 020import java.util.Set; 021 022import org.apache.activemq.broker.Broker; 023import org.apache.activemq.broker.BrokerFilter; 024import org.apache.activemq.broker.ConnectionContext; 025import org.apache.activemq.broker.ProducerBrokerExchange; 026import org.apache.activemq.broker.region.CompositeDestinationInterceptor; 027import org.apache.activemq.broker.region.Destination; 028import org.apache.activemq.broker.region.DestinationInterceptor; 029import org.apache.activemq.broker.region.RegionBroker; 030import org.apache.activemq.broker.region.Subscription; 031import org.apache.activemq.command.ActiveMQDestination; 032import org.apache.activemq.command.ActiveMQQueue; 033import org.apache.activemq.command.ActiveMQTopic; 034import org.apache.activemq.command.ConsumerInfo; 035import org.apache.activemq.command.DestinationInfo; 036import org.apache.activemq.command.Message; 037import org.apache.activemq.command.ProducerInfo; 038 039/** 040 * Verifies if a authenticated user can do an operation against the broker using 041 * an authorization map. 042 * 043 * 044 */ 045public class AuthorizationBroker extends BrokerFilter implements SecurityAdminMBean { 046 047 private volatile AuthorizationMap authorizationMap; 048 049 public AuthorizationBroker(Broker next, AuthorizationMap authorizationMap) { 050 super(next); 051 this.authorizationMap = authorizationMap; 052 053 // add DestinationInterceptor 054 final RegionBroker regionBroker = (RegionBroker) next.getAdaptor(RegionBroker.class); 055 final CompositeDestinationInterceptor compositeInterceptor = (CompositeDestinationInterceptor) regionBroker.getDestinationInterceptor(); 056 DestinationInterceptor[] interceptors = compositeInterceptor.getInterceptors(); 057 interceptors = Arrays.copyOf(interceptors, interceptors.length + 1); 058 interceptors[interceptors.length - 1] = new AuthorizationDestinationInterceptor(this); 059 compositeInterceptor.setInterceptors(interceptors); 060 } 061 062 public AuthorizationMap getAuthorizationMap() { 063 return authorizationMap; 064 } 065 066 public void setAuthorizationMap(AuthorizationMap map) { 067 authorizationMap = map; 068 } 069 070 protected SecurityContext checkSecurityContext(ConnectionContext context) throws SecurityException { 071 final SecurityContext securityContext = context.getSecurityContext(); 072 if (securityContext == null) { 073 throw new SecurityException("User is not authenticated."); 074 } 075 return securityContext; 076 } 077 078 protected boolean checkDestinationAdmin(SecurityContext securityContext, ActiveMQDestination destination) { 079 Destination existing = this.getDestinationMap(destination).get(destination); 080 if (existing != null) { 081 return true; 082 } 083 084 if (!securityContext.isBrokerContext()) { 085 Set<?> allowedACLs = null; 086 if (!destination.isTemporary()) { 087 allowedACLs = authorizationMap.getAdminACLs(destination); 088 } else { 089 allowedACLs = authorizationMap.getTempDestinationAdminACLs(); 090 } 091 092 if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { 093 return false; 094 } 095 } 096 return true; 097 } 098 099 @Override 100 public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception { 101 final SecurityContext securityContext = checkSecurityContext(context); 102 103 if (!checkDestinationAdmin(securityContext, info.getDestination())) { 104 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + info.getDestination()); 105 } 106 107 super.addDestinationInfo(context, info); 108 } 109 110 @Override 111 public Destination addDestination(ConnectionContext context, ActiveMQDestination destination,boolean create) throws Exception { 112 final SecurityContext securityContext = checkSecurityContext(context); 113 114 if (!checkDestinationAdmin(securityContext, destination)) { 115 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to create: " + destination); 116 } 117 118 return super.addDestination(context, destination,create); 119 } 120 121 @Override 122 public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception { 123 final SecurityContext securityContext = checkSecurityContext(context); 124 125 if (!checkDestinationAdmin(securityContext, destination)) { 126 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + destination); 127 } 128 129 super.removeDestination(context, destination, timeout); 130 } 131 132 @Override 133 public void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception { 134 final SecurityContext securityContext = checkSecurityContext(context); 135 136 if (!checkDestinationAdmin(securityContext, info.getDestination())) { 137 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to remove: " + info.getDestination()); 138 } 139 140 super.removeDestinationInfo(context, info); 141 } 142 143 @Override 144 public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception { 145 final SecurityContext securityContext = checkSecurityContext(context); 146 147 Set<?> allowedACLs = null; 148 if (!info.getDestination().isTemporary()) { 149 allowedACLs = authorizationMap.getReadACLs(info.getDestination()); 150 } else { 151 allowedACLs = authorizationMap.getTempDestinationReadACLs(); 152 } 153 154 if (!securityContext.isBrokerContext() && allowedACLs != null && !securityContext.isInOneOf(allowedACLs) ) { 155 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to read from: " + info.getDestination()); 156 } 157 securityContext.getAuthorizedReadDests().put(info.getDestination(), info.getDestination()); 158 159 /* 160 * Need to think about this a little more. We could do per message 161 * security checking to implement finer grained security checking. For 162 * example a user can only see messages with price>1000 . Perhaps this 163 * should just be another additional broker filter that installs this 164 * type of feature. If we did want to do that, then we would install a 165 * predicate. We should be careful since there may be an existing 166 * predicate already assigned and the consumer info may be sent to a 167 * remote broker, so it also needs to support being marshaled. 168 * info.setAdditionalPredicate(new BooleanExpression() { public boolean 169 * matches(MessageEvaluationContext message) throws JMSException { if( 170 * !subject.getAuthorizedReadDests().contains(message.getDestination()) ) { 171 * Set allowedACLs = 172 * authorizationMap.getReadACLs(message.getDestination()); 173 * if(allowedACLs!=null && !subject.isInOneOf(allowedACLs)) return 174 * false; subject.getAuthorizedReadDests().put(message.getDestination(), 175 * message.getDestination()); } return true; } public Object 176 * evaluate(MessageEvaluationContext message) throws JMSException { 177 * return matches(message) ? Boolean.TRUE : Boolean.FALSE; } }); 178 */ 179 180 return super.addConsumer(context, info); 181 } 182 183 @Override 184 public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception { 185 final SecurityContext securityContext = checkSecurityContext(context); 186 187 if (!securityContext.isBrokerContext() && info.getDestination() != null) { 188 189 Set<?> allowedACLs = null; 190 if (!info.getDestination().isTemporary()) { 191 allowedACLs = authorizationMap.getWriteACLs(info.getDestination()); 192 } else { 193 allowedACLs = authorizationMap.getTempDestinationWriteACLs(); 194 } 195 if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { 196 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to write to: " + info.getDestination()); 197 } 198 securityContext.getAuthorizedWriteDests().put(info.getDestination(), info.getDestination()); 199 } 200 201 super.addProducer(context, info); 202 } 203 204 @Override 205 public void send(ProducerBrokerExchange producerExchange, Message messageSend) throws Exception { 206 final SecurityContext securityContext = checkSecurityContext(producerExchange.getConnectionContext()); 207 208 if (!securityContext.isBrokerContext() && !securityContext.getAuthorizedWriteDests().containsValue(messageSend.getDestination())) { 209 210 Set<?> allowedACLs = null; 211 if (!messageSend.getDestination().isTemporary()) { 212 allowedACLs = authorizationMap.getWriteACLs(messageSend.getDestination()); 213 } else { 214 allowedACLs = authorizationMap.getTempDestinationWriteACLs(); 215 } 216 217 if (allowedACLs != null && !securityContext.isInOneOf(allowedACLs)) { 218 throw new SecurityException("User " + securityContext.getUserName() + " is not authorized to write to: " + messageSend.getDestination()); 219 } 220 securityContext.getAuthorizedWriteDests().put(messageSend.getDestination(), messageSend.getDestination()); 221 } 222 223 super.send(producerExchange, messageSend); 224 } 225 226 // SecurityAdminMBean interface 227 // ------------------------------------------------------------------------- 228 229 @Override 230 public void addQueueRole(String queue, String operation, String role) { 231 addDestinationRole(new ActiveMQQueue(queue), operation, role); 232 } 233 234 @Override 235 public void addTopicRole(String topic, String operation, String role) { 236 addDestinationRole(new ActiveMQTopic(topic), operation, role); 237 } 238 239 @Override 240 public void removeQueueRole(String queue, String operation, String role) { 241 removeDestinationRole(new ActiveMQQueue(queue), operation, role); 242 } 243 244 @Override 245 public void removeTopicRole(String topic, String operation, String role) { 246 removeDestinationRole(new ActiveMQTopic(topic), operation, role); 247 } 248 249 public void addDestinationRole(javax.jms.Destination destination, String operation, String role) { 250 } 251 252 public void removeDestinationRole(javax.jms.Destination destination, String operation, String role) { 253 } 254 255 @Override 256 public void addRole(String role) { 257 } 258 259 @Override 260 public void addUserRole(String user, String role) { 261 } 262 263 @Override 264 public void removeRole(String role) { 265 } 266 267 @Override 268 public void removeUserRole(String user, String role) { 269 } 270 271}